@prologic@twtxt.net Kinda. As per usual, Tim Berners-Lee is in the media here to promote Solid, a bad self-hosting idea that only gets coverage because Tim’s famous.
@abucci@anthony.buc.ci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google’s already aggressively forced everyone to a 12 month deadline. Not everything supports Let’s Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.
And again, there’s nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it’s ability to force everyone to do what it says.
@lyse@lyse.isobeef.org We tricked rocks into thinking, and this how they get back at us for it, because thinking is a horrible curse.
@abucci@anthony.buc.ci I think TLS is fine. I think PKI is a crock of garbage, because most participants in PKI are garbage, and Google has complete capture of it and makes decisions that work best for it, and not the real world.
Ultimately what I think should happen for certificate expiration is browsers should soft-warn for like a week or two after expiry, with like a yellow address bar, as opposed to trying to block navigation. The risk of an expired cert just doesn’t justify browser behavior.
@prologic@twtxt.net I have to be reachable during my personal time for work stuff. So I feel no guilt or shame in being reachable during my work time for personal stuff. It’s a balance still.
@abucci@anthony.buc.ci I literally had to fix an outage this weekend caused by a weird certificate. Not external facing, but the security risk caused by it was nonexistent, and yet, it was implemented as a requirement and caused random unexpected breakage when it expired itself.
Unfortunately, I feel that right now the people who decide on how to run PKI are so far removed from the real world and practical concerns, it’s straight up comical. 81% of organizations have had outages caused by expired certificates, something that has almost no real world security benefit. https://betanews.com/2022/03/22/81-percent-of-organizations-have-outages-caused-by-expired-certificates/
@abucci@anthony.buc.ci Bypassing a warning about an expired certificate is basically never actually dangerous. I have yet to see a maliciously used expired certificate in the wild.
This is an excellent post. https://theintercept.com/2022/10/28/elon-musk-twitter/
@abucci@anthony.buc.ci Yep. Eugen said image uploads for posts took like 12 minutes after uploading to process earlier today.
@abucci@anthony.buc.ci As long as open source orgs reject the concept of sustainable development, any reasonably sized project will eventually go corporate.
@prologic@twtxt.net Yep, it’s the land of Musk. The Fediverse is seeing it’s standard huge population uptick on the news, that will disappear again in a month or two as usual.
@prologic@twtxt.net What is the ttps:// protocol, prologic?
@abucci@anthony.buc.ci I won’t delete mine, but I’ll probably transition from being a user to a lurker.
@mckinley@twtxt.net maya wouldn’t see my response anyways, right?
@mckinley@twtxt.net I’ve just done a manual git pull and push for those, they’re rarely things I’m too worried about keeping “up to date”.
@abucci@anthony.buc.ci Well in this case the problem is that corporations tend to make and control all the web browsers.
@prologic@twtxt.net It does, but EV was already just prohibitively expensive. It’s very hard for corporations to distinguish between malware authors and hobbyist developers, unfortunately.
@prologic@twtxt.net @abucci@anthony.buc.ci The entire public key infrastructure is kinda a joke, tbh. Let’s Encrypt made HTTPS free, but in practice that mostly just means malware can be delivered securely to your PC. EV certs made a lot more sense, but Google had to deprecate those, VMC appears to be a potentially worthy replacement though.
@prologic@twtxt.net @abucci@anthony.buc.ci I’d also definitely second the recommendation of HedgeDoc. It’s very clean and very capable.
@prologic@twtxt.net The official lingo is ocap for object capabilities. And FWIW that is still IMHO just a need for better implementation by Sandstorm: Capabilities done right actually cause a lot less friction than ACLs!
@prologic@twtxt.net Absolutely a jab at Golang. Though I still want to try
building a web app with it.
@prologic@twtxt.net True, though it becomes less of a problem once people realize writing apps with traditional security models is bad and everyone does it our way. ;)
The challenge with changing the world is overcoming momentum.
@prologic@twtxt.net I mean I wrote https://github.com/sandstorm-io/sandstorm-error-collector in an evening, but I’m pretty well-versed in working within vagrant-spk at this point, and I knew where to pull most examples of what I was building quickly. (Also with PHP I don’t have to write my own web server…)
@abucci@anthony.buc.ci What I’ve learned in production is the apps need to be built or heavily modified to truly support object capabilities. We’ve packaged numerous apps for Sandstorm, but the best experience is still apps written to work in that environment, even if they aren’t as feature-heavy.
@eaplmx@twtxt.net Both the OS and browser have heavy restrictions, and I want to enable WebAuthn, but only WebAuthn, and I’m not sure what’s breaking it when I test it.
@eaplmx@twtxt.net Just got a couple of these to play with. At the least it’s a convenient option to always using the TOTP app, but I’m having issues getting them working on one of my networks still.
@prologic@twtxt.net I really like Active Directory still. Mostly for Group Policy though, which only works on Windows.
@abucci@anthony.buc.ci As a fun fact, Sandstorm is neither RBAC or ACL, it uses object capabilities, which is a superior but niche model also seen in Google’s Fuchsia and a very limited number of random things since the 1980’s.
@prologic@twtxt.net To be fair, that both predates Sandstorm (circa 2014), and considering you’ve tried it recently and still spun up your own corporate infrastructure, demonstrates it’s not ready to meet your needs even today.
I would probably love your top bullet points on what Sandstorm would’ve needed to have or do to meet your business infra needs.
@abucci@anthony.buc.ci - Sandstorm.io hopefully someday ;) Though I admit we are probably not quite at the polish today for someone to replace their existing self-hosting stack (yet)
@prologic@twtxt.net Few spelling errors in there. msision, hotable, pacakages
@mckinley@twtxt.net If you have any sort of CI, it is relatively trivial in theory to have it git push to another repo. It’s how I backup all my GitHub repos.
@prologic@twtxt.net No problem. I just got here, and it’s twenty minutes past anyways.
@mckinley@twtxt.net I’ll be late probably.
@prologic@twtxt.net I think the OSI positions are paid positions via memberships/donations. Which is to say, the status quo is perfectly sustainable… for the OSI.
I had recent conversations with both the OSI’s Executive Director and Standards Director, and both conversations convinced me the OSI does not remotely care about sustainable open source.
@prologic@twtxt.net I mean he is very sour on Mastodon/ActivityPub, so it’s not outside the realm of possibility…
@kt84@twtxt.net More than likely if a class action settlement happens, anyone who can allege they had their code on GitHub during the span of time Microsoft was training Copilot will be eligible, which would include anyone who deleted their repos when Microsoft first showed it off.
@prologic@twtxt.net The problem is that if I fork your code (which I can do), and then post it on GitHub (which I can do), then Copilot still trains on it, whether you like it or not.
The answer here, is what’s happening: Litigation.
The problem is the OSI considers this working-as-intended.
@mckinley@twtxt.net Yarn call was actually sbout Yarn stuff mostly this week? What on earth?
@prologic@twtxt.net NICE! Looks classy.
@prologic@twtxt.net NFT!
Hey all, it’s weekly call time! https://meet.jit.si/Yarn.social Join us!
Why is everyone’s profile picture gone/default on Goryon?
@prologic@twtxt.net I find the top purpose for corporate VPN providers is low-impact legal offenses involving torrenting: It’s not necessarily about the VPN provider not ratting you out, but about being enough of a hassle to uncloak you that by the time the legal process to do so has ramped up, the VPN provider has dumped their logs anyways. Serious crimes, governments are going to act a lot faster, and get the response they need quickly, but for the low level stuff it’s more civil law nonsense a VPN company in the middle will befuddle the process.
@abucci@anthony.buc.ci I feel this about Signal giving everyone real phone numbers. I worry a little less about IP addresses because I’m generally pretty public about my rough geographic area anyways…
@abucci@anthony.buc.ci Interestingly enough, Signal has announced plans to deprecate SMS/MMS support entirely. So even if I had a phone which could tamper with my text messages, Signal soon won’t anyways.
Since I’ve solely installed Signal to talk to the Yarn social Signal group, and that’s not a sensitive communication, it doesn’t bother me if it’s compromised very much.
@mckinley@twtxt.net FWIW, spam on IRC is really, really prevalent, and IRC has limited systems to handle it. I know they’ll let you cloak your info with regards to other users seeing it, but trusting them with it is somewhat important to them managing the server.